The "state" field of ra output
Andrew Pollock
andrew-argus at andrew.net.au
Mon Oct 21 22:56:21 EDT 2002
On Tue, Oct 22, 2002 at 03:44:46PM +1300, Russell Fulton wrote:
[snip]
> Not exactly, a RST in the status field says that that the session was
> terminated by an RST. I.e. it may have been established and transferred
> 100MB of data via scp and then terminated by a RST rather than an FIN.
This part of the ra manpage may need clarification:
Thu 12/29 06:40:32 tcp 132.3.31.15.6200 <| 12.23.14.77.25 RST
This tcp transaction from the smtp port of host
12.23.14.77 was RESET, indicating that the transaction was
denied.
> Use -Ac to get packet and databyte counts.
yeah am doing so already
> >
> > I'm wondering if the monitoring check isn't closing the SSH connection
> > cleanly, and it's issuing a reset. I haven't yet done some analysis with
> > tcpdump to verify this.
> >
> > I'm wondering how you can determine which side of the connection issued
> > the reset, and if my theory above holds water, this changes the
> > interpretation of the ra output somewhat, doesn't it?
>
> The direction arrow -> tells you the direction of the RST.
>
> You can also use -Zb to get all the flags displayed in the status
> field. I use this all the time (I added it to argus so I'm biased ;-)
>
> Cheers, Russell
>
> --
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland, New Zealand
>
> "It aint necessarily so" - Gershwin
More information about the argus
mailing list